Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000


A hacker (or group of hackers) has hijacked the DNS servers of, a web-based Ether wallet service.

Users accessing the site were redirected to a fake version of the website. Those who logged in had their wallet private keys stolen, which the attacker used to empty accounts.

MyEtherWallet admins detected the DNS hijacking event and attempted to warn users via Twitter.

The fake website was easy to spot because attackers used a self-signed TLS certificate that triggered an error with all modern browsers.

However, not all users paid attention to the HTTPS error and proceeded to log into their accounts. According to users who reported losing funds, the hacker collected Ether at 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29.

After approximately two hours and after MyEtherWallet started regaining access over its DNS entries, the hacker transferred the stolen funds to another account. All in all, the attacker made off with 215 Ether, the equivalent of $160,000, at the time of the transaction.

According to Oracle’s Internet Intelligence division (formerly known as Dyn Research), the hacker was able to hijack DNS entries after executing a BGP route hijack that redirected entire swaths of Internet traffic meant for Amazon servers to systems they controlled.

Some of the hijacked traffic was for Amazon DNS servers, used by the MyEtherWallet team. Attackers then pointed domain name resolutions for the domain to an IP address located in Russia, where they hosted their fake version of the MyEtherWallet website that logged private keys.

The MyEtherWallet incident is not the first DNS hijacking attack against a cryptocurrency-related domain. In January 2018, hackers hijacked the servers of and managed to steal over $400,000 of Stellar Lumen (XLM) funds.

EtherDelta suffered a similar DNS hijacking incident before Christmas 2017, but to this day we still don’t know how many funds the attacker stole. Classic Ether Wallet and the Etherparty ICO website also suffered DNS hijackings.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top